Ever wonder when new controls are published for Policy Compliance? You’re not alone. With the rapid increase in Policy Compliance Control IDs (CIDs) over the past year, many customers wanted a more proactive notification of new content. We have heard you loud and clear. With the release of QualysGuard 6.16, users can now receive weekly or monthly email notifications for new and modified CIDs within Policy Compliance.
Setting Up Control Notification
Control Notification is not enabled by default. To receive email notifications for new and modified CIDs, perform the following steps:
From the Tools section, select User Accounts
Edit the User Account that wants to receive Control Notifications
Click on Advanced
Under Notification Options, select Weekly or Monthly for Latest Controls
Figure 1: Edit User: Latest Controls Notification
Receiving Control Notifications
After enabling Control Notifications, the user will receive an email summarizing the new and modified CIDs for Policy Compliance.
Figure 2: Control Notification: Email
In addition, a .CSV file is attached to the email with additional information.
Even after you implement policy compliance checks to enforce best practices for strong passwords, your users can still create insecure passwords. They may not be able to create passwords with eight or fewer characters or with only alphabetical characters. But as long as their passwords conform to the policies you implement, your users can create passwords that match their user name or company name. And those passwords are among the easiest to guess.
To prevent this type of password vulnerability, your policy compliance scans need to check the actual passwords of your users, not just the rules governing the passwords they can create. Three of these password auditing checks are now available in QualysGuard 6.15 Update:
CID 3893 – Empty passwords
This control identifies user accounts with empty passwords.
CID 3894 – Password matches user name
This control identifies passwords that match the actual user name or the user name in upper- or lower-case.
CID 3895 – Password matches an entry in the password dictionary
This control identifies user accounts where the password is equal to an entry in the user-defined password dictionary.
To access your passwords, the scanning engine uses a dissolvable agent on Windows systems to collect user password information from target hosts. The dissolvable agent securely sends the passwords to the scanner for analysis and securely erases its copy of passwords after it completes the tests.
Using Password Auditing
Enable Password Auditing
Password Auditing is not enabled in compliance scans by default. To use this feature, create or edit a compliance profile with the following settin:
Launch or schedule a compliance scan on the hosts that you want to scan for password auditing controls. Select a compliance profile with Password Auditing enabled, and optionally a password dictionary defined.
Add Password Auditing Controls to Policy
Add the three new password auditing controls (Control IDs 3893, 3894 and 3895) to a new or existing compliance policy. These controls are supported for Windows and Unix technologies.
Run Compliance Report
Generate compliance reports to compare the data gathered on your hosts during your compliance scan to the expected values defined in your compliance policy. Each user account that violates a Password Auditing control appears in the Actual field of your report.
Figure 4: Compliance Report with Password Auditing controls